The news of the Equifax data breach involving 450 million records, equivalent to that of half the US population has caused immense damage to the Equifax brand.
Predictably bearing in mind the likely long-term consequences that strike at the very heart of the Equifax business, it has resulted in a cull as corporate heads have rolled.
The fact that they have leaked 405,000 records relating to UK citizens which probably constitutes maybe a tenth of the records they hold on current UK citizens will be of concern on this side of the Atlantic.
As one of three Credit Reference Companies operating in the UK the others being Experian and Callcredit. The main activity is to provide credit referencing on businesses and individuals.
To provide credit reports they gather their information from lenders, the electoral register, debt collection agencies credit card companies, HP companies in fact anyone who extends credit or chases debt.
The Equifax data breach strikes at the very core of the Equifax business model, the adverse publicity has already shaken confidence in the company, caused a drop in the share price and will almost certainly do immense long-term harm.
US Regulators investigate Equifax data breach
US regulators are already looking into the matter and you can be sure that American courts will be kept busy with actions from those who have lost data in the Equifax data breach.
Equifax CEO Richard Smith has announced his retirement, Smith is the third executive to leave the credit monitoring agency after the CIO and CSO also officially retired following the revelations the company failed to protect its customers sufficiently
“Speaking for everyone on the board, I sincerely apologise. We have formed a special committee of the board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
As Equifax track the financial histories of most of us you might imagine they take exceptional care when it comes to Data Security.
Sadly they appear to have fallen over in this regard with alarming regularity, the US breach being their third this year and worryingly the latest breach resulted from a known vulnerability in one of their web apps.
UK ICO have contacted Equifax regarding the leak of UK records, as of May 2018 GDPR will give them the increased regulatory powers they need to deal with multinationals.
In the UK Equifax are regulated by the Financial Conduct Authority who may wish to look into the matter. On Friday, the UK’s data protection regulator, the Information Commissioner’s Office, put out a statement calling on Equifax to “alert affected UK customers at the earliest opportunity”.
The presence of the UK records in the US is timely with GDPR on the near horizon. It is an example of why the GDPR provides protection and regulation for records held by organisations as they cross borders in what are known as cross border data transfers.
Ironically the Privacy Shield treaty was put in place last year to cover cross border transfers between EU states and the US.
Hopefully the team of European Union negotiators currently in the US reviewing the first year of Privacy Shield might wish to bring this up.
It is worth remembering that as records of EU nationals were involved under GDPR Equifax would be in line to be fined upto 4% of their global turnover. $3.14Bn or their abouts 4% of which $210 Million USD could make a handy contribution to enforcing future breaches.
You may be interested to know that it has been reported Equifax had a previous breach back in March although Equifax informed its customers they chose not to inform the other affected individuals, the reason they gave for choosing not to inform them was they were technically not customers of the company.
This didn’t mean the information they had lost was any less sensitive, it related to people like you and me and was possibly just as valuable to the criminals as the customer information.
If correct it does point to a worrying disregard at Corporate level for the security of the hundreds of millions of individuals and companies whose financial histories they monitor, GDPR regulation has been devised to ensure companies like Equifax pay close attention to the protection of that data and rights of the individuals whose data is the very basis of the Equifax business.